Skill Guide

EU AI Act risk-tier classification and compliance mapping

The systematic process of categorizing AI systems into the EU AI Act's four risk tiers (unacceptable, high, limited, minimal) and mapping each to its specific set of legal obligations and compliance pathways.

This skill is critical for legal, compliance, and product teams to avoid prohibitive fines (up to €35M or 7% of global turnover), enable market access for AI products in the EU, and build stakeholder trust through demonstrable regulatory adherence. It directly impacts product roadmap feasibility, time-to-market, and corporate risk exposure.

1 Careers

1 Categories

9.1 Avg Demand

25% Avg AI Risk

How to Learn EU AI Act risk-tier classification and compliance mapping

1. Master the Act's foundational definitions: 'AI system,' 'provider,' 'deployer,' 'placing on the market.' 2. Memorize the risk pyramid and the 8 prohibited AI practices (e.g., social scoring, real-time biometric identification in public spaces). 3. Understand the core documentation requirements for high-risk systems: technical documentation, risk management, data governance, transparency, human oversight.

1. Apply the classification logic to real-world product features (e.g., an AI-powered CV screening tool is high-risk under Annex III). 2. Conduct gap analyses against high-risk requirements for an existing system. 3. Avoid common mistakes: confusing 'limited' risk transparency obligations with 'high' risk full conformity assessments, or misinterpreting exemptions for research/open-source.

1. Architect cross-functional compliance frameworks integrating legal, engineering, and data science workflows. 2. Navigate complex scenarios: a single AI system with multiple risk components, or systems that evolve via continuous learning. 3. Develop internal governance structures and training programs to scale compliance knowledge across product teams and mentor junior staff.

Practice Projects

Beginner

Case Study/Exercise

Classify and Document a Hypothetical AI Tool

Scenario

You are given a specification for a 'SmartHire' AI that screens job applications based on psychometric video interview analysis. Determine its risk tier.

How to Execute

1. List all functional components. 2. Map components against Annex III categories (Employment, 'substantially influencing a persons access to private/public services'). 3. Check against Article 5 prohibitions (e.g., does it use emotion recognition?). 4. Draft a one-page 'Risk Classification Rationale' memo citing specific articles.

Intermediate

Case Study/Exercise

Conduct a Compliance Gap Analysis

Scenario

A company has an existing high-risk AI system for credit scoring. They need to prepare for mandatory conformity assessment before market launch in the EU.

How to Execute

1. Map the system's current documentation (data sheets, model cards) to the Annex IV technical documentation requirements. 2. Identify gaps in the risk management system (Article 9) and post-market monitoring plan (Article 72). 3. Draft an action plan to address gaps, assigning owners for human oversight, logging, and robustness testing.

Advanced

Case Study/Exercise

Design a Compliance Operating Model for a Product Portfolio

Scenario

As Head of AI Governance, you must design a scalable process to classify and ensure compliance for 50+ AI features across products, many with components from third-party vendors.

How to Execute

1. Develop an internal 'Risk Classification Matrix' and decision tree for product managers. 2. Create a tiered intake and review process with mandatory check gates at design, build, and deploy phases. 3. Establish a vendor qualification protocol for third-party AI components (e.g., model APIs). 4. Design training and a centralized 'Compliance Dossier' repository for audit readiness.

Tools & Frameworks

Regulatory & Legal Texts

EU AI Act Official Text (Final)Annex III (High-Risk List)Article 5 (Prohibited Practices)Article 6 (High-Risk Classification Rules)

The primary source. Use Annex III as a checklist for high-risk designation. Article 6 provides the logic for when an AI system falls into high-risk, even if not in Annex III.

Mental Models & Methodologies

Regulatory Decision TreesConformity Assessment Frameworks (e.g., from ISO/IEC 42001)Risk Management Frameworks (ISO 31000)Documentation Templates (Model Cards, Data Sheets)

Decision trees operationalize the legal text into Yes/No questions. Aligning with ISO 42001 (AI Management System) provides a structured, auditable foundation for high-risk compliance.

Software & Platforms

Governance, Risk, and Compliance (GRC) Platforms (e.g., ServiceNow GRC, OneTrust)AI Lifecycle Management Tools (e.g., IBM OpenPages, Fiddler)Version Control for Documentation (Confluence, SharePoint)

GRC platforms can model the Act's requirements, track assessments, and manage evidence. AI lifecycle tools help maintain the required logs, risk assessments, and model versioning for high-risk systems.